In the previous installments of our e-discovery series, we discussed e-discovery challenges facing organizations and explained how to manage electronically stored information (ESI) so it's available when needed. Check out the first four parts of this series:
- What every IT manager should know about e-discovery
- Five things IT can do to prepare for e-discovery
- Critical to e-discovery: Messaging retrieval and protection
- Prepared for e-discovery: What to know about content monitoring and filtering
We wrap up this series with a look at another piece to an effective e-discovery process: people. E-discovery awareness is similar to general security awareness, and the challenges are the same.
Objectives of an employee awareness program
Don't confuse awareness programs with training. Training deals with developing specific skill sets. The key objective of an awareness program is to focus employees' attention on understanding the concept of discovery and how to perform day-to-day tasks when legal holds are in place. An awareness program supplements and re-enforces training efforts. Without employee awareness, spoliation of discoverable ESI is probable, putting the organization at an unnecessary level of risk.
You can't make employees actively work to maintain and protect the information for which they're responsible -- they have to want to comply. It's up to you to help them understand why it's important to them and the company. Some of the topics you should consider covering an in e-discovery employee awareness program include the following:
- What is e-discovery?
- What is the company's e-discovery and legal hold policy?
- How do the policies translate into practical, day-to-day activities?
- What are the supporting processes?
- What regulations (local, state, and Federal) apply?
- How would failure to comply with an e-discovery request affect the business?
Another important objective of an awareness program is for employees to understand that all levels of management fully supports the company's e-discovery policy. Without strong evidence of management support, your effort is weakened, and employees usually won't be very enthusiastic about learning and retaining this information.
Creating an e-discovery employee awareness programThere are four steps to reaching a working awareness program: design the program, develop or purchase awareness materials, implement the program, and perform post-implementation activities. See Figure A. Figure A
Step 1: Design the programThe design process begins with a needs assessment. Figure B shows the various inputs. Figure B
The graphic shows categories from which you should solicit inputs. Drilling down into each category, you should use the following guidelines to obtain the level of detail you need to document and prioritize the proposed topics:
- Recent incidents: This will give you insight into weaknesses in employee knowledge of processes or e-discovery concepts in general.
- Employee concerns: Employees who are already aware of e-discovery fundamentals can be a good source of information about day-to-day problems related to legal holds or other discovery-related activities.
- Management concerns: Management's perspective is usually more operational or strategic. Their concerns help to complete the picture.
As you design the employee awareness program, keep in mind the following four points:
- Define training goals: Using the results of the needs assessment, define the goals of the program. What concerns are you trying to address? Are you including overall policy, process, standards, and guidelines? How many awareness/training sessions are required to meet your goals?
- Identify target audiences: Awareness presentations should be delivered to three distinct groups: all employees, management, and IT employees. Presentations to all employees include basic concepts of e-discovery and management's expectations. Management sessions should focus on policies and compliance oversight. Material presented to IT personnel must include what information should be readily available for discovery, electronic records retention issues, and where to store various types of information .
- Deliver the message on a frequent basis: Holding one-time sessions and assuming your work is done is a dangerous approach. Over time, the impact awareness sessions have on employee behavior diminishes. Repetition is the key to awareness maintenance. The types of awareness materials you select and your organization's culture play a significant role in how often you bring employees back into the classroom. For example, use of posters, table tents in the cafeteria, or weekly awareness e-mail might result in limiting classroom sessions to once per year.
- Ensure you have management support: Your awareness program will never meet its goals without strong management support. Funding, employee attendance at awareness sessions, and employee perception of the importance of e-discovery all depend on support across all levels of management.
Step 2: Develop or purchase awareness materials
Whether you buy or develop awareness materials internally is not as important as effectively delivering your message. Ensure your materials are easy to use and scalable to large audiences.
Step 3: Implement the program
Once the program design is complete, it's time to roll it out. The first step is communication. Let employees know what to expect and inform them of the importance of e-discovery awareness. In other words, wrap some context around the message. Although you might have strong management support for the concept of e-discovery awareness, make sure all levels of management are enrolled in the actual delivery method.
Step 4: Perform post-implementation activities
After you deliver the initial message, it's important to measure the effectiveness of your approach. Follow these steps to determine its effectiveness, gather feedback, and strengthen the message:
- Monitor for compliance: You might have to get creative to maintain metrics on how employees are doing with regard to compliance. In a large organization (with several legal holds imposed in any given year), this may not be too difficult; keeping communication open between IS and Legal should provide enough insight. Smaller organizations might not know how they're doing for years, when the rare discovery request hits the door.
- Obtain stakeholder feedback: Using the same inputs as Figure B, solicit stakeholder feedback about the perceived success of the awareness program.
- Adjust the program to address weaknesses: Based on feedback, make adjustments to your program materials and delivery methods.
The final word
This completes the series on e-discovery. We've examined the need for e-discovery processes and the consequences for organizations that ignore the inevitability of a discovery request. We also looked at how to maintain control of discoverable information, via both technology and employee awareness.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.